#openstack-meeting-3 log

16:05:38 <pc_m> #startmeeting vpnaas
16:05:39 <openstack> Meeting started Tue Jun  2 16:05:38 2015 UTC and is due to finish in 60 minutes.  The chair is pc_m. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:05:40 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:05:44 <openstack> The meeting name has been set to 'vpnaas'
16:06:09 <pc_m> Agenda is on the wiki: https://wiki.openstack.org/wiki/Meetings/VPNaaS
16:06:21 <pc_m> #topic announcements
16:06:49 <pc_m> Looks like Liberty 1 is 6/22-26, Liberty 2 7/27-31
16:07:11 <ajmiller> Wow, that's coming right up..
16:07:37 <pc_m> As usual, please look at the bugs and reviews for vpn (see the wiki for links).
16:08:03 <pc_m> I won't cover them today, we can discuss in open discussion, as time allows.
16:08:14 <pc_m> #topic BGP/MPLS and Edge VPN
16:09:06 <pc_m> So the question here is whether either/both of these can/should be combined into the general VPN (IPSec) w.r.t. how the user will use these.
16:09:25 <tmorin> pc_m: good summary
16:09:37 <pc_m> Should we try to make a unified API that can cover each of these? Does it make sense?
16:09:49 <vikram> pc_m:+1
16:09:54 <angela-s> pc_m +1
16:09:55 <john_a_joyce> I believe it would make sense
16:10:09 <dhruvdhody> pc_m:+1
16:10:20 <tmorin> the issue I see is that, while we could come up with common APi object...
16:10:29 <tmorin> ... the workflows will be totally different
16:10:34 <john_a_joyce> at least there are common elements to the two API proposals and with the current VPNaaS
16:10:39 <vikram> IMHO we should have a unified API but need to check how realistic it could be
16:10:40 <pc_m> So, I'll open the floor to let people discuss their thoughts...
16:10:59 <tmorin> this leads me to believe that a unified API may not necessarily add value
16:11:00 <sridhar_ram> pc_m: +1 for unified API, among class of VPNs
16:11:04 <tmorin> and might even increase confusion
16:11:14 <ajmiller> pc_m: As part of this it would be great to gather some use cases, that might help guide whether it makes sense for a unified API, or separate APIs
16:11:21 <pc_m> tmorin: Can you elaborate??
16:11:41 <pc_m> ajmiller: +1000 I myself am shaky on the understanding of each.
16:11:43 <tmorin> yes
16:11:54 <sridhar_ram> if IPSec is a L3 VPN that connects tenant networks to different remote networks.. it would make sense to unify
16:11:57 <john_a_joyce> IMO - there are two distinct elements of the APIs - the signaling of the routes and the details of the connection
16:12:01 <tmorin> in the use case and workflow in the BGP VPN API that we propose, the tenant is not independent, he cannot build the VPN himself
16:12:16 <sridhar_ram> but for L2 VPN .. we need one unified API for L2 VPN, IMO
16:12:17 <tmorin> he depends on the provider and cloud operator to first create this VPN
16:12:34 <tmorin> this is completely different from IPSec, or SSL, VPNs
16:12:42 <john_a_joyce> tmorin: so your API is more geared to how to signal the routes?
16:12:45 <sridhar_ram> john_a_joyce: +1
16:12:49 <tmorin> the acronyms are the same, but the model behing is very different
16:12:52 <angela-s> tmorin: that is the same for edge vpn, it is not a tenant role
16:13:00 <sridhar_ram> that is how dmvpn data model is emerging as well
16:13:24 <tmorin> john_a_joyce: not really, our API allows to describe to which BGP VPN a tenant network is connected
16:13:36 <pcarver> At the risk of broadening the topic even further, I just created an RFE for ML3, modular layer 3 similar in concept to ML2. It seems to me that BGP and IPSec/SSL VPNs have a close tie in to the concept of routers.
16:14:05 <tmorin> our API does not dictate how the routes are signalled
16:14:18 <tmorin> which component does this is determined by the driver/backend architecture
16:14:24 <john_a_joyce> tmorin: sure and you don't get into too much detail on how the connection/tunnel is created
16:14:38 <tmorin> indeed
16:15:02 <john_a_joyce> tmorin:  but you are indicating the routing relationship i.e. VPN - to network
16:15:07 <tmorin> yes
16:15:35 <john_a_joyce> tmorin: so that is what I really like about your API - it is simple at that level
16:15:37 <tmorin> setting up so-called "tunnels" is most often not even done at all
16:15:50 <tmorin> yes, this is the goal
16:16:19 <tmorin> if other things (e.g. BGP peerings) need to be automated, we think this is a different issue to be handled with another component
16:16:27 <tmorin> may or may not even by in openstack
16:16:33 <john_a_joyce> tmorin:  but when you get in the semantics of the connection itself then it merges with the other work edge, VPNaaS and maybe dmvpn
16:16:52 <tmorin> it may, but as I said, the workflow may or may not converge
16:17:01 <sridhar_ram> tmorin: could creating the "tunnel" (or the equivalent) and pushing the routes could be separated ?
16:17:04 <tmorin> I don't think they do for IPSec
16:17:23 <tmorin> sridhar_ram: yes
16:17:23 <john_a_joyce> sridhar_ram: that is exactly what I was thinking
16:17:39 <tmorin> sridhar_ram: sometimes you don't even have a tunnel in the implementation, so yes, for sure
16:17:42 <john_a_joyce> IMO that gives a path to convergence
16:18:09 <sridhar_ram> tmorin: I see. Still we need something to model the VPN construct
16:18:37 <sridhar_ram> tmorin: Here is my worry .. we might end up with an explosion of tons of APIs for each and every VPN type
16:18:50 <john_a_joyce> that would be bad
16:18:52 <pc_m> sridhar_ram: +1
16:19:00 <tmorin> tons I don't know
16:19:11 <vikram> from the user view this is not good
16:19:19 <tmorin> and if the workflow behind is stronly distinct, having more than one makes sense
16:19:19 <angela-s> sridhar_ram: +1
16:19:22 <vikram> having separate api for diff usecase
16:19:29 <sridhar_ram> Can the tunnel creation part atleast for these PE based VPNs be extraploated to something common ?
16:19:52 <pcarver> isn't the most important thing from the user's perspective the networks and routers in Neutron/OpenStack that they want to add connectivity too? The mechanism is secondary.
16:19:55 <tmorin> vikram: no, i believe it makes sense to have different APIs if the use case and workflows are different enough
16:20:21 <john_a_joyce> tmorin:
16:20:28 <pcarver> BGP MPLS vs IPSec/SSL are just the details of how to connect
16:20:30 <tmorin> sridhar_ram: again, with BGP VPN, we don't need to instantiate tunnel objects at all
16:20:35 <tmorin> nothing to converge here
16:20:41 <john_a_joyce> tmorin: we should look at the high level what is common
16:20:58 <sridhar_ram> pcarver: Associating the VPN use are creating to tenant networks is understood.. IPSec has a working model and it works well IMO
16:21:01 <tmorin> three letters :)
16:21:03 <john_a_joyce> i think we are agreeing the tunnel part is likely not common
16:21:27 <tmorin> john_a_joyce:  three letters may be the only thing in common  (V,P,N)
16:21:34 <john_a_joyce> but the association or networks/routes to VPNs can probably be made common
16:21:50 <sridhar_ram> tmorin: But there shd be some representation of the "entity" that you want neutron network to talk to ..
16:21:56 <pcarver> sridhar_ram: That's good. My point is that it should work consistently. If it works well for IPSec then we should see if it can work the same way for MPLS.
16:22:23 <tmorin> sridhar_ram: well, it does not necessarily belong to this API
16:22:42 <tmorin> sridhar_ram: it can be config driver, or an admin-only API if you want to API-drive it
16:22:52 <tmorin> config-driven sorry
16:23:04 <sridhar_ram> tmorin: in IPSec site-connection IMO represents the what is entity being created and how routes are pushed
16:23:05 <tmorin> john_a_joyce: yes, possibly
16:23:43 <tmorin> the current model for IPSec (associating to routers) does not work well for l2 BGP VPNs (E-VPN)
16:24:11 <sridhar_ram> tmorin: thats exactly where some of need to be educated :)'
16:24:35 <sridhar_ram> *some of us
16:24:40 <vikram> Hi All, I think we are off track.. The discussion was about converging edge-vpn and BGPVPN API's. What's the conclusion on this?
16:25:04 <tmorin> sridhar_ram: well, quite simply: if you extend an Ethernet network through a bgpvpn, you don't want to go through an IP stack
16:25:39 <john_a_joyce> i think the majority think we need to try harder to converge
16:25:42 <sridhar_ram> tmorin: the admin vs tenant API restriction is well taken ... it can be factored in the API permission
16:25:49 <john_a_joyce> trying to find the common parts
16:25:55 <pcarver> tmorin: I don't think it's just some letters in common. I think that the most basic aspect from a tenant view point is that I've got some networks here and some networks there and I want to connect them. Ideally the only difference in the "how" is what data elements I need to supply in order to state "which network do I want to connect to"
16:26:12 <sridhar_ram> pcarver: +1
16:26:20 <john_a_joyce> pcarver: +1
16:26:22 <pc_m> pcarver: +1
16:26:22 <angela-s> pcarver: +1
16:26:33 <vikram> pcarever: +1
16:26:38 <tmorin> pcarver: well, how the vpn network is created is not always done the same, hence different workflows
16:26:57 <sridhar_ram> tmorin: then should we work on a common L2 VPN framework first
16:27:11 <pcarver> tmorin: no disagreement on that. But I don't think that's important to the tenant.
16:27:11 <sridhar_ram> and then factor in different L2 VPN instantiations off that ?
16:27:37 <tmorin> having converged API object but a different workflow will *not* be user friendly
16:27:40 <john_a_joyce> tmorin: do you mean the details on the transport and signalling protocols?
16:27:44 <pcarver> The tenant wants to know what identifiers do I need to supply to uniquily specify what network.
16:27:51 <pcarver> Not how the plubming works
16:28:03 <tmorin> sridhar_ram: i think this part of the discussion is true for both l2vpn and l3vpn
16:28:21 <john_a_joyce> what seems common to me is that you are conveying which networks are inter-connected in all the proposals
16:28:40 <tmorin> pcarver: for ipsec VPNs, the tenants needs to know about the plumbing to configure its endpoints
16:28:51 <tmorin> john_a_joyce: yes
16:29:11 <tmorin> john_a_joyce: that could also be expressed through a generic poliy framework by the way
16:29:42 <matrohon> the only components that converge seem to be a VPN dummy object, its type and object we can associate to it (depending on the type) no?
16:30:09 <tmorin> pcarver: for ipsec, the tenant creates and configures the plumbing -- that's a major difference
16:31:37 <sridhar_ram> Having a class of VPN created by Admin and used by Tenant can be abstracted
16:31:54 <pcarver> tmorin: It's been a while since I configured VPNs on Cisco routers (and that's the last place I dealt with IPSec) but even then pretty much all I wanted to know was what 3-4 bits of data did I need to plug into the router config to connect to my peer.
16:32:23 <pc_m> could the vpn be characterized by its endpoints and the "type" of connection?
16:32:38 <tmorin> pcarver: yes, indeed, this is the plumbing part that has to be at the hand of the tenant
16:32:43 <pc_m> then for each type, we have API for the details?
16:33:42 <pc_m> For IPSec one specifies the peer IP, peer CIDRs (of remote subnets), and then IPSec features via IKE/IPSec policies
16:33:49 <pcarver> tmorin: I don't think I'm disagreeing with you much. Just trying to frame the "user story"
16:34:10 <pcarver> The tenant will certainly need to supply different data elements for IPSec vs MPLS
16:34:25 <tmorin> I fear the common part will boil down to very trivial things
16:34:30 <tmorin> hence my skepticism
16:34:49 <pc_m> tmorin: Can the endpoints be specified as part of the common part?
16:34:50 <tmorin> at least for what is common bw bgp vpns and ipsec vpns
16:35:01 <tmorin> maybe more convergence can exist for dmvpn
16:35:02 <sridhar_ram> pc_m: IPSec is can put IKE/IPSec/remote-IP in one bucket and put { local tenant networks, remote CIDRs } .. thats a even clear mental model
16:35:11 <pcarver> but in either case their desired workflow really centers around determining the minimal set of required data elements to designate the near and far networks
16:35:20 <tmorin> i'd be happy to hear more on the workflow proposed around dmvpn
16:35:24 <sridhar_ram> If we can come up with something similar for other VPN types..
16:35:31 <tmorin> pc_m: which endpoints ?
16:35:54 <sridhar_ram> tmorin: sure, we will go into dmvpn shortly..
16:35:56 <john_a_joyce> sridhar_ram:  thats exactly the mental model I have as well
16:36:18 <tmorin> pcarver: yes, but this is the last step of the workflow, the vpn creation step differs highly (between ipsec and bgp provider vpns)
16:36:56 <pc_m> tmorin: Like for IPsec, it's the peer and local IP (or maybe the peer and local subnets?)
16:38:25 <sridhar_ram> tmorin: then, atleast among the VPNs created in PE routers we need one model
16:38:27 <tmorin> pc_m: you mean BGP peer ?
16:39:14 <vikram> pc_m: For BGPVPN yes we need to specify bgp  peer ip
16:39:23 <tmorin> sridhar_ram: this is a possibility, but not knowing enough on DMVPN, i don't know yet
16:39:42 <tmorin> vikram: I don't believe so, or at least not in the same API
16:39:46 <pc_m> thinking out loud... is there a way to specify the two  networks being connected up, and then specify the connection details separately, based on the type of VPN?
16:40:01 <tmorin> vikram: the BGP peer is not setup per VPN
16:40:38 <tmorin> vikram: different bgp speakers may also use different ones
16:40:48 <vikram> tmorin: but we need to specify the end-points between which we need to have a VPN connection right?
16:40:59 <tmorin> vikram: if you want to automate this, you can do it with another API, or static, or part of server automation tooling
16:41:14 <tmorin> vikram: what do you mean by endpoints ,
16:41:16 <tmorin> ?
16:41:36 <sridhar_ram> tmorin: DMVPN is created on tenant routers for tenant networks .. it kinda a extenstion of IPSec (instead of site to site it is multi-site)
16:41:45 <vikram> tmorin: 2 sites which user want to connect
16:41:51 <tmorin> pc_m: yes, there could be, but what about the value if the workflows end up so different
16:42:29 <sridhar_ram> tmorin: bringing in BGP speaker differences in API discussion doesn't make sense
16:42:42 <tmorin> vikram: the sites which the user want to connect are not the BGP peers, there may be more than 2, and its ok if there are not known by the API, they will learned via BGP routes
16:42:50 <pc_m> tmorin: I guess it gets back to (for me) understanding the various use cases for each type of VPN.
16:43:05 * pc_m which I sorely lack understanding of
16:43:24 <tmorin> sridhar_ram: does the tenant have to configure routers to connect (non Openstack) physical sites, or is it at the hand of its provider ?
16:44:03 <sridhar_ram> tmorin: there is no non-openstack interaction involved for DMVPN..
16:44:09 <vikram> tmorin: got it
16:44:24 <john_a_joyce> tmorin: if by workflow you mean the backend implementation then I don't follow the argument since that will be very different anyway
16:44:25 <ajmiller> pc_m tmorin: That gets to the heart of it:  We need a common understanding of the various use cases, how tenants and operators configure them.  Who does what, and how.
16:44:34 <sridhar_ram> tmorin: if needed you can connect multiple openstack tenant routers in a DMVPN mesh
16:44:40 <vikram> tmorin: actually i meant sites to be connected..
16:44:43 <sridhar_ram> no PE router involved
16:44:48 <tmorin> sridhar_ram: DMVPN can be used outside any Openstack, right ??
16:45:10 <john_a_joyce> there might be reference implementations in tree and some out and of course many that rely on a controller to render the network
16:45:19 <tmorin> john_a_joyce: no, I essentially means: who creates and controls the parameters for the VPN
16:45:36 <sridhar_ram> tmorin: yes, other remote sites could be non-openstack sites -- imagine a Cisco branch site
16:46:47 <john_a_joyce> tmorin: I am missing the point a bit then - the parameters of the VPN should be in the API
16:46:58 <tmorin> sridhar_ram: ok, but you can also want to connect an existing "WAN" DMVPN to some Openstack VM/network, right ?
16:47:09 <sridhar_ram> john_a_joyce: that in-built control-plane vs sdn controller option is same like any other neutron driver
16:47:42 <tmorin> john_a_joyce: yes, but in the ipsec case controlled by the tenant, and in the bgp vpn case controlled by the admin
16:47:56 <sridhar_ram> tmorin: that existing "WAN" DMVPN node is not under the administrative preview of OpenStack
16:47:57 <tmorin> sridhar_ram: +1
16:48:56 <tmorin> sridhar_ram: ok, for BGP VPNs we want the ability to interconnect with existing WAN BGP VPNs, and need to bring this into view of Neutron
16:48:57 <john_a_joyce> but if it is simply an issue or roles that is preventing convergence then that is easily handled
16:49:41 <sridhar_ram> tmorin: I understand that unique nature and its different compared to neutron-router based VPN (IPSec, DMVPN)
16:49:55 * pc_m time check 10 mins
16:50:28 <tmorin> john_a_joyce: can be handled, but workflows will be so different that I'm challenging that converging (ipsec and bgp vpns) will bring  much value (and might even increase confusion)
16:50:39 <sridhar_ram> tmorin: we should think hard to model that interconnection of existing WAN VPN (i'm intentionally skipping BGP) to neutron networks
16:51:03 <tmorin> sridhar_ram: ok, good to know that our understanding is that DMVPN would be closer to IPSec that bgpvpn
16:51:03 <sridhar_ram> tmorin: BGP should be just one type
16:51:28 <john_a_joyce> pc_m: I think we might need a specific proposal to further this discussion
16:51:33 <tmorin> sridhar_ram: not sure I follow you
16:51:54 <sridhar_ram> if we can model BGP related constucts to similar to IKE (which is IPSec specific) ..
16:52:36 <sridhar_ram> and have a generic "interconnect" API for vpn-id to neutron network id mapping
16:52:55 <sridhar_ram> that later will be same for many differnent WAN / PE Router based VPNs
16:52:56 <sridhar_ram> ?
16:53:12 <pc_m> folk, we're starting to run shy of time here... let's focus on what we should do forward going to try to close on this (if possible :)
16:53:13 <john_a_joyce> Sridhar_ram: +1
16:53:20 <pc_m> sridhar_ram: +1
16:53:27 <pc_m> So...
16:53:41 <pc_m> I've created an etherpad, so we can place our thoughts...
16:53:53 <pc_m> #info https://etherpad.openstack.org/p/vpn-flavors
16:53:53 <vikram> pc_m:+1
16:53:59 <sridhar_ram> pc_m: good idea
16:54:23 <pc_m> Can someone volunteer to plop down use cases for each of the VPN types?
16:54:46 <pc_m> (not one person, but several people for each flavor of VPN)
16:54:56 <sridhar_ram> I can pitch in for neutron-router based VPN
16:55:04 <vikram> Edge VPN i can take up
16:55:09 <pc_m> sridhar_ram: thanks
16:55:10 <tmorin> sridhar_ram: this is doable, but I fear that the difference in the first steps of the workflows would create confusion
16:55:13 <pc_m> vikram: nice
16:55:27 <pc_m> I think it'll help our shared understanding...
16:55:43 <pcarver> I'll schedule some time with one of our MPLS gurus and try to consolidate his thoughts into input for the Etherpad
16:55:45 <tmorin> yes, that was a useful discussion
16:55:50 <tmorin> thanks pc_m for hosting it
16:56:03 <john_a_joyce> thanks pc_m
16:56:07 <sridhar_ram> pc_m: pcarver: thanks!
16:56:07 <tmorin> pcarver: +1
16:56:28 <sridhar_ram> i'm learning here as well.. !
16:56:34 <tmorin> will contribute based on what we already have written in our current spec
16:56:35 <ajmiller> It would also be great if people could add pointers for useful background information, like wiki pages, RFCs, etc....
16:56:45 <ajmiller> I'll contribute to the extent I can.
16:56:49 <pc_m> yes thanks everyone. Let's keep this going and see if we can come up with a proposal to share
16:56:49 <tmorin> there are rfc pointers in our spec
16:56:56 <tmorin> 4364 and 7432 mostly
16:57:03 <ajmiller> tmorin cool
16:57:06 <vikram> ajmiller: sure
16:57:07 <tmorin> makes good fireplace reading ;)
16:57:09 <pc_m> ajmiller: pcarver thanks!
16:57:22 <tmorin> bye folfs
16:57:24 <tmorin> folks
16:57:25 <pc_m> I have been having trouble sleeping at night...
16:57:26 <ajmiller> bye
16:57:26 <dhruvdhody> bye
16:57:26 <john_a_joyce> bye
16:57:30 <pc_m> thanks everyone!
16:57:31 <sridhar_ram> tmorin: RFC are always good for bedtime !
16:57:33 <pc_m> #endmeeting